I have read around SQL Injection and went to the site that the pictures lead you to (from the page's source) but from what I read I need to find some sort of FORM within the HTML code, which I found nowhere there. I tried running some SQL Injection on the URL but no luck and now that site appears off. What am I doing wrong here exactly?

aronnas wrote:I have read around SQL Injection and went to the site that the pictures lead you to (from the page's source) but from what I read I need to find some sort of FORM within the HTML code, which I found nowhere there. I tried running some SQL Injection on the URL but no luck and now that site appears off. What am I doing wrong here exactly?

The SQLi does not need to be executed on the URL.Look for an alternative place to try and execute SQLi.

[Edit] Trying to manipulate the URL of the picture's location is not correct. You need to go back and look at the source of the main page again. Once you have found what you need, and go there; you will have the form right in front of you.

Yeah, I got this and passed this challenge. So I tried to run SQL Injection on a real page, as it appears! Am I in trouble or something? I didn't know, I just went there because the source from the pics led me

aronnas wrote:Yeah, I got this and passed this challenge. So I tried to run SQL Injection on a real page, as it appears! <br>Am I in trouble or something? I didn't know, I just went there because the source from the pics led me

You should be alright. Just be more careful 'where you are' next time.

"The quieter you become, the more you are able to hear...""Drink all the booze, hack all the things."

aronnas wrote:Yeah, I got this and passed this challenge. So I tried to run SQL Injection on a real page, as it appears! <br>Am I in trouble or something? I didn't know, I just went there because the source from the pics led me

You should be alright. Just be more careful 'where you are' next time.

I will agree with that for most situations, as knowing the correct place to carry out attacks can be vital. As for HTS, luckily there is a challenge to actually hack hackthissite.org.

I figured it out, but can someone explain to me why you only use one and not two? If you guys don't understand, feel free to message me. But what Im talking about is, at the end of the command, why do you use only one rather than 2? all other websites tell you to use two but it wasnt working for me.

by -Ninjex- on Fri May 10, 2013 4:37 pm ([msg=75536]see Re: Please ask questions ONLY in this topic.[/msg])

LeoDaVinci wrote:I figured it out, but can someone explain to me why you only use one and not two? If you guys don't understand, feel free to message me. But what Im talking about is, at the end of the command, why do you use only one rather than 2? all other websites tell you to use two but it wasnt working for me.

Okay, let me explain this:The challenges here are staged and not real. 99x out of 100x, people will use one.Basically, that string you used was checked for a match, to allow you to win.However, anything in actuality would work if this was a real vulnerability in the site.

Think of it like this for a real site..The data gets processed something like this:

part will be filled in with whatever the user enters into a field, such as a user name/ password.

Now, with the string that you used, you should be able to realize how it breaks off the desired statement and then tricks the SQL server to sending back all the data within the login field, instead of just passing back the usernames.I hope this helps,- Ninjex

Last edited by -Ninjex- on Sat May 11, 2013 3:39 am, edited 1 time in total.

by impulse_x on Fri May 10, 2013 8:27 pm ([msg=75542]see Re: Please ask questions ONLY in this topic.[/msg])

I think I past this mission, but the only thing that happens is I get to the hackthissite.org page with "Go On".. kinda likewhat happens in Basic 11. I thought I was supposed to edit some page or am I reading it too literal?